No week seems to pass by anymore without a news article or notice being posted about a computer security breach, or ransomware attack.  Many of these attacks are being conducted by sophisticated criminal organisations – or worse yet – nations with more hostile intent.  These attacks have often exploited passwords and credentials that have been stolen, and more often result in the exposure of many more accounts that can now be used to cause further damage.

A common response to these reports is to press the messaging about the importance of having good password hygiene including longer passwords and avoiding easy to guess variants.  This is good advice, but it falls short of significantly improving overall computer system security.  Organisations in response are with increasing frequency implementing user identification systems based on “Multi-Factor Authentication,” or MFA for short.

Authentication is the process that is used to determine the identity of the person using a computer system.  Once a person’s identity can be determined then a set of privileges can be determined for what that individual can do in the system.  Computer security consultants will often fall back to a key phrase they use to describe the attributes or factors that would be ideal for determining the identity of a computer user.  The phrase is “Something you know, something you have, and something you are.”  The more of these factors that can be used the stronger the confidence in authenticating the identity of a user.

Entering your account name and password satisfies the “Something you know,” factor.  This is just a single factor, and as we are learning this is often not up to the task of securing an account.  It turns out that although it is something you know, you may not be the only one who knows it.  Adding additional authentication factors can improve security by adding proof that the individual using the sign-in credentials is who they represent to be.  This is the origin and intent in implementing multi-factor authentication systems.

The most common additional authentication factor to add is “Something you have.”  This means providing a computer user some type of physical device that is unique to them.  Mobile phones have become ubiquitous so often these can be used in this role.  Systems that send codes as text messages to a user’s phone and having that code entered as part of the sign-on is one example.  More sophisticated methods would use an application on the mobile device that uses cryptographic magic to display a sign-in code that could only have been generated from that mobile device.  Variations on this theme may bypass the mobile device in favor of a dedicated hardware token that displays a time limited code or a smart card that needs to be inserted.  All of these are mechanisms add a physical item in the user’s possession to the authentication process. “Something you have” authentication should be the absolute minimum to any internet-facing application, including remote access and email.

When discussing the “Something you are,” factor we enter the world of biometrics.  This adds some physical attribute of the user to the authentication process.  Think fingerprints and facial recognition as implementations of this.  It becomes much harder than a password for a malicious entity to steal these, and it’s also true that a user cannot forget it at home or lose it. Whilst not all technologies support “Something you are” authentication, if supported, it should be considered. We expect these technologies to grow and improve over time.

Adding an additional authentication factor dramatically improves the sign-in security and can even improve the user experience.  There are a variety of tools and products that can be used to add additional authentication factors into an organisation.  Microsoft provides a multi-factor authentication solution that can be used as part of Microsoft 365.  The Microsoft solution adds security through the user’s mobile device through an application, text, or phone call.  This is an excellent solution for organisations that have made investments in Cloud enablement with Microsoft and is strongly recommended.

Another of the available implementation options is to use Cisco’s Duo product to provide a general MFA solution that is not tied to a specific Cloud provider.  The Duo solution can be implemented in a variety of scenarios – including remote access – and using multiple types of additional devices that can be used in securing user authentication.

These solutions and others are available in the marketplace and offer a significant security improvement over using only passwords to secure access to your systems and data. What is true is that no application on the internet should only be protected by a username and password; “Something you know” is not sufficient and MFA helps to plug this gap.

Contact Jupiter Group to request information about improving your security posture today.

I don’t think anyone will dispute that we’re living through an unprecedented time.  The COVID-19 pandemic is affecting almost all areas of our lives including how we work, play and shop. One of the things that hasn’t changed is that security threats are rampant, and many are taking advantage of COVID-19 specifically.  What should Chief Security Officers (CSO’s) and other computer security professionals be considering in this unique moment?

There has been a dramatic increase in all the normal scams and attacks but now using COVID-19 as a keyword to lure people in. There has been an increase in spam and phishing attacks using this approach. Many of these are being used to entice clicks that spread malware. These attacks will often attempt to impersonate health organisations or charities.

Governments have been introducing enhanced unemployment benefits and other economic stimulus programs. Malicious attackers are exploiting confusion related to these programs along with the real desperation of folks trying to get this relief, to introduce scams offering to help them apply or expedite their requests. These attacks are harvesting personal information or extorting payments from the victims.

Organisations frequently have existing security protections in place against these types of attacks, including updated spam filters, anti-virus signatures, and message hygiene solutions. However the biggest contribution to safety is to accelerate and update your security communication. Updating your community about the most common threats is practical protection. This is not as easy as it sounds without up to date and relevant information about trending threats, though. Have you got an internal procedure for monitoring the threat landscape and are you getting this information from your ICT provider?

COVID-19 has forced organisations to embrace working from home. Now there are more workstations and mobile devices that are no longer under the enterprise’s control. They will, however, be accessing and potentially storing the organisations data. Having a solid VPN, gateway or remote server solution is a critical to safely setting up work from home capability. This will at least satisfy the need to protect information in transit, but it doesn’t prevent unwanted attention from COVID-19 savvy attackers.

As an organisation, consider the learnings that you can incorporate in your overall disaster readiness planning. Many organisations have considered the most likely areas of concern, such as fire, severe weather or theft. Organisations in the post SARS and COVID era need to include pandemic planning as a part of their scenario planning. Health experts are warning about a COVID-19 resurgence later in the year, and the potential for more outbreaks in the future exists.

The good news is whether you had a plan for this or you didn’t, there is an opportunity to harvest the learnings and incorporate them into your disaster planning. Perform a solid debrief and document what worked well (and most importantly, what didn’t). What surprised you? There is an opportunity to save the future you from having to re-learn these lessons.

These will be trying times for organisations, and it’s tempting to let cyber-security considerations take a backseat to the immediate requirements of ‘just surviving’. Jupiter Group has security solutions and expertise that we can provide to help you through this and future challenges. Talk to us about how to prepare your business for the obvious and the unlikely alike.

Digital Transformation has evolved into an overused buzzword. The original meaning has been diluted where every technology initiative is branded as Digital Transformation. Having the focus on the technology brings the wrong lens to these projects. Digital Transformation is about business and it starts and ends with business as the focus. Well, maybe more accurately, it starts with the customer and ends with the business.

Digital Transformation is about mining a business to find new opportunities. It’s about a mindset of continuous improvement, embracing disruption, and leaving no room for competitors to impose on your business. The attitude is if we don’t bring the disruption to our industry, someone else will.

The practical question is “how does a business accomplish this”? Every business or organisation works on a set of implicit assumptions that become embedded in the culture. This culture is often the largest obstacle to change. Quite often it takes a fresh set of eyes or a careful openness to surfacing these assumptions and questioning them. Assumptions like “our customers call us when they need parts.”  Really? Why? Could you phone them? Why the phone? Who did they call before they called you?


Not every Transformation needs to be a moon shot. Incremental improvements are fair game; what differentiates a Digital Transformation project from other types of initiatives is that Transformation takes on the culture and embedded assumptions.


The most successful Digital Transformation efforts are completed by cross-functional teams. It turns out that an organisation’s structure is often a barrier holding a business back. Asking a cross-functional team to take off their departmental jersey and consider the whole company can unlock new potential.

Digital Transformation should revolve around the customer. Consider each customer interaction and its full life-cycle. Simply putting a process online is not Digital Transformation. Digital sure, but not transformation unless something in the underlying business process changes to add value to that interaction. There have been successful Transformation projects that address the employee as the customer and optimise internal processes, but the external facing elements tend to have larger benefits.

For a business, particularly small or medium-sized business, to engage in Digital Transformation can be difficult due to lack of experience. Organisations can become accomplished at this, but some initial coaching and guidance will set them off on the right foot.

Organisations like Jupiter Group can provide the professional consulting expertise to facilitate this process. Our process uses initial facilitated discovery workshops to brainstorm opportunities. Those ideas are then evaluated and refined to determine which should be pursued. Using an experienced set of eyes and hands pays dividends in accelerating the process and ensuring success for any Transformation project. Speak with our team today about your Digital Transformation.